A number of bugs were discovered in the NDR parsing support in Samba
that is used to decode MS-RPC requests. A remote attacker could
send a carefully crafted request that would cause a heap overflow,
possibly leading to the ability to execute arbitrary code on the server
(CVE-2007-2446).
A remote authenticated user could trigger a flaw where unescaped
user input parameters were being passed as arguments to /bin/sh
(CVE-2007-2447).
Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from
name using the Samba local list of user and group accounts, a logic
error in smbd's internal security stack could result in a transition
to the root user id rather than the non-root user (CVE-2007-2444).

Update:

The fix for CVE-2007-2444 broke the behaviour of force group when
the forced group is a local Unix group for domain member servers.